Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
51s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/09/2024, 23:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f70ddc97b207adabe689119ffdb417fb_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
f70ddc97b207adabe689119ffdb417fb_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
f70ddc97b207adabe689119ffdb417fb_JaffaCakes118.exe
-
Size
606KB
-
MD5
f70ddc97b207adabe689119ffdb417fb
-
SHA1
ab4eb75749181630430d5b8ef89561c960b2845b
-
SHA256
80c67c07d6633052260435fa5e44b50d4f72c6cc174c5fdbcc75c88e01506788
-
SHA512
8d56f94912ec9a839737c3cf43c50d4b9baa434c7b8d4812a2390c19473fd6be0d3ce234f7d7de8b1152e93678647200ca91c27a3c472926da8b5212db0bdf1b
-
SSDEEP
12288:1GP7WUtpdOy2R+9zR2yXuhcW3PtPgRWkFouZRLBKf1zg2/nBL:1GXtPB9NhXuWYtPrkFLBcU8BL
Score
8/10
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" f70ddc97b207adabe689119ffdb417fb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\system32\\server.exe" server.exe -
Checks BIOS information in registry 2 TTPs 64 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion server.exe -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation f70ddc97b207adabe689119ffdb417fb_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation server.exe -
Executes dropped EXE 64 IoCs
pid Process 3048 server.exe 3176 server.exe 1968 server.exe 4972 server.exe 1992 server.exe 736 server.exe 440 server.exe 1640 server.exe 3028 server.exe 1060 server.exe 5032 server.exe 1012 server.exe 4756 server.exe 2320 server.exe 760 server.exe 8 server.exe 888 server.exe 2844 server.exe 1404 server.exe 3036 server.exe 4536 server.exe 1376 server.exe 5024 server.exe 2128 server.exe 1616 server.exe 1020 server.exe 3652 server.exe 4312 server.exe 3800 server.exe 4228 server.exe 392 server.exe 5036 server.exe 1384 server.exe 1496 server.exe 3644 server.exe 4844 server.exe 4984 server.exe 4036 server.exe 4296 server.exe 3944 server.exe 3844 server.exe 4244 server.exe 1484 server.exe 532 server.exe 4328 server.exe 4384 server.exe 3552 server.exe 4592 server.exe 1180 server.exe 4840 server.exe 4368 server.exe 2308 server.exe 2988 server.exe 3352 server.exe 4036 server.exe 4296 server.exe 4776 server.exe 2272 server.exe 4244 server.exe 2656 server.exe 4808 server.exe 2500 server.exe 4540 server.exe 3336 server.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartKey = "C:\\Windows\\system32\\server.exe" server.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe f70ddc97b207adabe689119ffdb417fb_JaffaCakes118.exe File created C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File created C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe -
resource yara_rule behavioral2/memory/3260-2-0x000000003A7A0000-0x000000003A7B1000-memory.dmp upx behavioral2/memory/3260-3-0x000000003A7A0000-0x000000003A7B1000-memory.dmp upx behavioral2/memory/3260-1-0x000000003A7A0000-0x000000003A7B1000-memory.dmp upx behavioral2/memory/3260-0-0x000000003A7A0000-0x000000003A7B1000-memory.dmp upx behavioral2/memory/3260-4-0x000000003C6C0000-0x000000003C6F8000-memory.dmp upx behavioral2/memory/3260-15-0x000000003A7A0000-0x000000003A7B1000-memory.dmp upx behavioral2/memory/3048-21-0x000000003C3E0000-0x000000003C3F1000-memory.dmp upx behavioral2/memory/3048-20-0x000000003C3E0000-0x000000003C3F1000-memory.dmp upx behavioral2/memory/3048-18-0x000000003C3E0000-0x000000003C3F1000-memory.dmp upx behavioral2/memory/3048-19-0x000000003C3E0000-0x000000003C3F1000-memory.dmp upx behavioral2/memory/3048-22-0x000000003C640000-0x000000003C678000-memory.dmp upx behavioral2/memory/3048-24-0x000000003C3E0000-0x000000003C3F1000-memory.dmp upx behavioral2/memory/3176-30-0x000000003A780000-0x000000003A791000-memory.dmp upx behavioral2/memory/3176-28-0x000000003A780000-0x000000003A791000-memory.dmp upx behavioral2/memory/3176-27-0x000000003A780000-0x000000003A791000-memory.dmp upx behavioral2/memory/3176-29-0x000000003A780000-0x000000003A791000-memory.dmp upx behavioral2/memory/3176-31-0x000000003C690000-0x000000003C6C8000-memory.dmp upx behavioral2/memory/3176-33-0x000000003A780000-0x000000003A791000-memory.dmp upx behavioral2/memory/1968-38-0x000000003A920000-0x000000003A931000-memory.dmp upx behavioral2/memory/1968-39-0x000000003A920000-0x000000003A931000-memory.dmp upx behavioral2/memory/1968-37-0x000000003A920000-0x000000003A931000-memory.dmp upx behavioral2/memory/1968-36-0x000000003A920000-0x000000003A931000-memory.dmp upx behavioral2/memory/1968-40-0x000000003CAF0000-0x000000003CB28000-memory.dmp upx behavioral2/memory/1968-42-0x000000003A920000-0x000000003A931000-memory.dmp upx behavioral2/memory/4972-48-0x000000003A860000-0x000000003A871000-memory.dmp upx behavioral2/memory/4972-47-0x000000003A860000-0x000000003A871000-memory.dmp upx behavioral2/memory/4972-46-0x000000003A860000-0x000000003A871000-memory.dmp upx behavioral2/memory/4972-45-0x000000003A860000-0x000000003A871000-memory.dmp upx behavioral2/memory/4972-49-0x000000003C6A0000-0x000000003C6D8000-memory.dmp upx behavioral2/memory/4972-51-0x000000003A860000-0x000000003A871000-memory.dmp upx behavioral2/memory/1992-57-0x000000003A980000-0x000000003A991000-memory.dmp upx behavioral2/memory/1992-56-0x000000003A980000-0x000000003A991000-memory.dmp upx behavioral2/memory/1992-55-0x000000003A980000-0x000000003A991000-memory.dmp upx behavioral2/memory/1992-54-0x000000003A980000-0x000000003A991000-memory.dmp upx behavioral2/memory/1992-58-0x000000003CB40000-0x000000003CB78000-memory.dmp upx behavioral2/memory/1992-60-0x000000003A980000-0x000000003A991000-memory.dmp upx behavioral2/memory/736-63-0x000000003A710000-0x000000003A721000-memory.dmp upx behavioral2/memory/736-64-0x000000003A710000-0x000000003A721000-memory.dmp upx behavioral2/memory/736-66-0x000000003A710000-0x000000003A721000-memory.dmp upx behavioral2/memory/736-65-0x000000003A710000-0x000000003A721000-memory.dmp upx behavioral2/memory/736-67-0x000000003C610000-0x000000003C648000-memory.dmp upx behavioral2/memory/736-69-0x000000003A710000-0x000000003A721000-memory.dmp upx behavioral2/memory/440-72-0x000000003A6D0000-0x000000003A6E1000-memory.dmp upx behavioral2/memory/440-75-0x000000003A6D0000-0x000000003A6E1000-memory.dmp upx behavioral2/memory/440-74-0x000000003A6D0000-0x000000003A6E1000-memory.dmp upx behavioral2/memory/440-73-0x000000003A6D0000-0x000000003A6E1000-memory.dmp upx behavioral2/memory/440-76-0x000000003CB20000-0x000000003CB58000-memory.dmp upx behavioral2/memory/440-78-0x000000003A6D0000-0x000000003A6E1000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString server.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier server.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier server.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier server.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString server.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet server.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString server.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier server.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier server.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet server.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier server.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString server.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString server.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet server.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier server.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet server.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier server.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier server.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe -
Enumerates system info in registry 2 TTPs 64 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier f70ddc97b207adabe689119ffdb417fb_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3260 f70ddc97b207adabe689119ffdb417fb_JaffaCakes118.exe 3260 f70ddc97b207adabe689119ffdb417fb_JaffaCakes118.exe 3048 server.exe 3048 server.exe 3176 server.exe 3176 server.exe 1968 server.exe 1968 server.exe 4972 server.exe 4972 server.exe 1992 server.exe 1992 server.exe 736 server.exe 736 server.exe 440 server.exe 440 server.exe 1640 server.exe 1640 server.exe 3028 server.exe 3028 server.exe 1060 server.exe 1060 server.exe 5032 server.exe 5032 server.exe 1012 server.exe 1012 server.exe 4756 server.exe 4756 server.exe 2320 server.exe 2320 server.exe 760 server.exe 760 server.exe 8 server.exe 8 server.exe 888 server.exe 888 server.exe 2844 server.exe 2844 server.exe 1404 server.exe 1404 server.exe 3036 server.exe 3036 server.exe 4536 server.exe 4536 server.exe 1376 server.exe 1376 server.exe 5024 server.exe 5024 server.exe 2128 server.exe 2128 server.exe 1616 server.exe 1616 server.exe 1020 server.exe 1020 server.exe 3652 server.exe 3652 server.exe 4312 server.exe 4312 server.exe 3800 server.exe 3800 server.exe 4228 server.exe 4228 server.exe 392 server.exe 392 server.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3260 f70ddc97b207adabe689119ffdb417fb_JaffaCakes118.exe 3048 server.exe 3176 server.exe 1968 server.exe 4972 server.exe 1992 server.exe 736 server.exe 440 server.exe 1640 server.exe 3028 server.exe 1060 server.exe 5032 server.exe 1012 server.exe 4756 server.exe 2320 server.exe 760 server.exe 8 server.exe 888 server.exe 2844 server.exe 1404 server.exe 3036 server.exe 4536 server.exe 1376 server.exe 5024 server.exe 2128 server.exe 1616 server.exe 1020 server.exe 3652 server.exe 4312 server.exe 3800 server.exe 4228 server.exe 392 server.exe 5036 server.exe 1384 server.exe 1496 server.exe 3644 server.exe 4844 server.exe 4984 server.exe 4036 server.exe 4296 server.exe 3944 server.exe 3844 server.exe 4244 server.exe 1484 server.exe 532 server.exe 4328 server.exe 4384 server.exe 3552 server.exe 4592 server.exe 1180 server.exe 4840 server.exe 4368 server.exe 2308 server.exe 2988 server.exe 3352 server.exe 4036 server.exe 4296 server.exe 4776 server.exe 2272 server.exe 4244 server.exe 2656 server.exe 4808 server.exe 2500 server.exe 4540 server.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3260 wrote to memory of 3424 3260 f70ddc97b207adabe689119ffdb417fb_JaffaCakes118.exe 56 PID 3260 wrote to memory of 3424 3260 f70ddc97b207adabe689119ffdb417fb_JaffaCakes118.exe 56 PID 3260 wrote to memory of 3424 3260 f70ddc97b207adabe689119ffdb417fb_JaffaCakes118.exe 56 PID 3260 wrote to memory of 3424 3260 f70ddc97b207adabe689119ffdb417fb_JaffaCakes118.exe 56 PID 3260 wrote to memory of 3048 3260 f70ddc97b207adabe689119ffdb417fb_JaffaCakes118.exe 82 PID 3260 wrote to memory of 3048 3260 f70ddc97b207adabe689119ffdb417fb_JaffaCakes118.exe 82 PID 3260 wrote to memory of 3048 3260 f70ddc97b207adabe689119ffdb417fb_JaffaCakes118.exe 82 PID 3048 wrote to memory of 3424 3048 server.exe 56 PID 3048 wrote to memory of 3424 3048 server.exe 56 PID 3048 wrote to memory of 3424 3048 server.exe 56 PID 3048 wrote to memory of 3424 3048 server.exe 56 PID 3048 wrote to memory of 3176 3048 server.exe 83 PID 3048 wrote to memory of 3176 3048 server.exe 83 PID 3048 wrote to memory of 3176 3048 server.exe 83 PID 3176 wrote to memory of 3424 3176 server.exe 56 PID 3176 wrote to memory of 3424 3176 server.exe 56 PID 3176 wrote to memory of 3424 3176 server.exe 56 PID 3176 wrote to memory of 3424 3176 server.exe 56 PID 3176 wrote to memory of 1968 3176 server.exe 84 PID 3176 wrote to memory of 1968 3176 server.exe 84 PID 3176 wrote to memory of 1968 3176 server.exe 84 PID 1968 wrote to memory of 3424 1968 server.exe 56 PID 1968 wrote to memory of 3424 1968 server.exe 56 PID 1968 wrote to memory of 3424 1968 server.exe 56 PID 1968 wrote to memory of 3424 1968 server.exe 56 PID 1968 wrote to memory of 4972 1968 server.exe 85 PID 1968 wrote to memory of 4972 1968 server.exe 85 PID 1968 wrote to memory of 4972 1968 server.exe 85 PID 4972 wrote to memory of 3424 4972 server.exe 56 PID 4972 wrote to memory of 3424 4972 server.exe 56 PID 4972 wrote to memory of 3424 4972 server.exe 56 PID 4972 wrote to memory of 3424 4972 server.exe 56 PID 4972 wrote to memory of 1992 4972 server.exe 86 PID 4972 wrote to memory of 1992 4972 server.exe 86 PID 4972 wrote to memory of 1992 4972 server.exe 86 PID 1992 wrote to memory of 3424 1992 server.exe 56 PID 1992 wrote to memory of 3424 1992 server.exe 56 PID 1992 wrote to memory of 3424 1992 server.exe 56 PID 1992 wrote to memory of 3424 1992 server.exe 56 PID 1992 wrote to memory of 736 1992 server.exe 87 PID 1992 wrote to memory of 736 1992 server.exe 87 PID 1992 wrote to memory of 736 1992 server.exe 87 PID 736 wrote to memory of 3424 736 server.exe 56 PID 736 wrote to memory of 3424 736 server.exe 56 PID 736 wrote to memory of 3424 736 server.exe 56 PID 736 wrote to memory of 3424 736 server.exe 56 PID 736 wrote to memory of 440 736 server.exe 88 PID 736 wrote to memory of 440 736 server.exe 88 PID 736 wrote to memory of 440 736 server.exe 88 PID 440 wrote to memory of 3424 440 server.exe 56 PID 440 wrote to memory of 3424 440 server.exe 56 PID 440 wrote to memory of 3424 440 server.exe 56 PID 440 wrote to memory of 3424 440 server.exe 56 PID 440 wrote to memory of 1640 440 server.exe 89 PID 440 wrote to memory of 1640 440 server.exe 89 PID 440 wrote to memory of 1640 440 server.exe 89 PID 1640 wrote to memory of 3424 1640 server.exe 56 PID 1640 wrote to memory of 3424 1640 server.exe 56 PID 1640 wrote to memory of 3424 1640 server.exe 56 PID 1640 wrote to memory of 3424 1640 server.exe 56 PID 1640 wrote to memory of 3028 1640 server.exe 90 PID 1640 wrote to memory of 3028 1640 server.exe 90 PID 1640 wrote to memory of 3028 1640 server.exe 90 PID 3028 wrote to memory of 3424 3028 server.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3424
-
C:\Users\Admin\AppData\Local\Temp\f70ddc97b207adabe689119ffdb417fb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f70ddc97b207adabe689119ffdb417fb_JaffaCakes118.exe"2⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Users\Admin\AppData\Local\Temp\f70ddc97b207adabe689119ffdb417fb_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"6⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"7⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1060 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"13⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:5032 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"14⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1012 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"15⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:4756 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2320 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"17⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:760 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"18⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:8 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:888 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"20⤵
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2844 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"21⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1404 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"22⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3036 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:4536 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1376 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:5024 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2128 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"27⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1616 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"28⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1020 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"29⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3652 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"30⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:4312 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"31⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3800 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"32⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:4228 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"33⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:392 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"34⤵
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
PID:5036 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"35⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
PID:1384 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"36⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:1496 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"37⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:3644 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"38⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
PID:4844 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"39⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
PID:4984 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"40⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:4036 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"41⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:4296 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"42⤵
- Checks computer location settings
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:3944 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"43⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:3844 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"44⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:4244 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"45⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
PID:1484 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"46⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:532 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:4328 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"48⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:4384 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"49⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
PID:3552 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"50⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
PID:4592 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"51⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
PID:1180 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"52⤵
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
PID:4840 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"53⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks BIOS information in registry
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:4368 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"54⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2308 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"55⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2988 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"56⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:3352 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"57⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
PID:4036 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"58⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
PID:4296 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"59⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
PID:4776 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"60⤵
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
PID:2272 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"61⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:4244 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"62⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
PID:2656 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:4808 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"64⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:2500 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"65⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:4540 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"66⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:3336 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"67⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Checks processor information in registry
PID:4340 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"68⤵
- Checks BIOS information in registry
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:4352 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"69⤵
- Checks BIOS information in registry
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:748 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"70⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3100 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"71⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2144 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"72⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks BIOS information in registry
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:3236 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"73⤵
- Boot or Logon Autostart Execution: Active Setup
PID:3036 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"74⤵
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:2036 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"75⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Enumerates system info in registry
PID:2692 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"76⤵
- Checks computer location settings
- Enumerates system info in registry
PID:1484 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"77⤵
- Checks computer location settings
- Enumerates system info in registry
PID:5108 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"78⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks BIOS information in registry
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
PID:4328 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"79⤵
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
PID:1120 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"80⤵
- Checks computer location settings
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
PID:4940 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"81⤵
- Checks computer location settings
- Checks processor information in registry
PID:4540 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"82⤵
- Adds Run key to start application
- Enumerates system info in registry
PID:3336 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"83⤵
- Drops file in System32 directory
PID:4340 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"84⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in System32 directory
PID:4352 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"85⤵
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Enumerates system info in registry
PID:3644 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"86⤵
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:3232 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"87⤵
- Checks BIOS information in registry
- Drops file in System32 directory
PID:4836 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"88⤵
- Checks BIOS information in registry
- Checks processor information in registry
PID:3600 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"89⤵
- Checks BIOS information in registry
- Checks computer location settings
PID:3384 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"90⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
PID:1216 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"91⤵
- Checks BIOS information in registry
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:808 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"92⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:4772 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"93⤵
- Checks BIOS information in registry
- Drops file in System32 directory
PID:3800 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"94⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Enumerates system info in registry
PID:4348 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"95⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"96⤵
- Drops file in System32 directory
- Checks processor information in registry
PID:3524 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"97⤵
- Checks processor information in registry
PID:4936 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"98⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:388 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"99⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
PID:3432 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"100⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
PID:2556 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"101⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
PID:4640 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"102⤵
- Drops file in System32 directory
- Enumerates system info in registry
PID:1596 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"103⤵
- Checks computer location settings
PID:4864 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"104⤵
- Checks computer location settings
- Drops file in System32 directory
PID:3176 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"105⤵
- Checks computer location settings
PID:3532 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"106⤵
- Checks BIOS information in registry
- Checks computer location settings
PID:712 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"107⤵
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:2780 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"108⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Drops file in System32 directory
- Checks processor information in registry
PID:960 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"109⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:4384 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"110⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates system info in registry
PID:1084 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"111⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:760 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"112⤵
- Checks BIOS information in registry
- Checks computer location settings
- Checks processor information in registry
PID:3984 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"113⤵
- Enumerates system info in registry
PID:2552 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"114⤵
- Checks BIOS information in registry
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:3616 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"115⤵
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:2172 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"116⤵
- Adds Run key to start application
- Enumerates system info in registry
PID:3644 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"117⤵
- Checks BIOS information in registry
- Adds Run key to start application
PID:3352 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"118⤵
- Enumerates system info in registry
PID:5016 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"119⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:2128 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"120⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
PID:4112 -
C:\Windows\SysWOW64\server.exe"C:\Windows\system32\server.exe" "C:\Windows\SysWOW64\server.exe"121⤵
- Checks BIOS information in registry
- Checks computer location settings
- Checks processor information in registry
PID:376
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-